LDAP Dial-in using member-attribute

Chapter 3 Authentication for FortiOS 5.0 : Examples and Troubleshooting : LDAP Dial-in using member-attribute

In this example, users defined in MicroSoft Windows Active Directory (AD) are allowed to set up a VPN connection simply based on an attribute that is set to TRUE, instead of based on their user group. In AD the "Allow Dialin" property is activated in the user properties, and this sets the msNPAllowDialin attribute to "TRUE".

This same procedure can be used for other member attributes, as your system requires.

To accomplish this with a FortiGate unit, member-attribute must be set. This can only be accomplished through the CLI - the option is not available through the web-based manager.

Before configuring the FortiGate unit, ensure the AD server has the msNPAllowDialin attribute set to "TRUE" for the users in question. If not, those users will not be able to authenticate.

To configure user LDAP member-attribute settings - CLI

config user ldap

edit "ldap_server"

set server "192.168.201.3"

set cnid "sAMAccountName"

set dn "DC=fortilabanz,DC=com,DC=au"

set type regular

set username "fortigate@sample.com"

set password ******

set member-attr "msNPAllowDialin"

end

To configure LDAP group settings - CLI

config user group

edit "ldap_grp"

set member "ldap"

config match

edit 1

set server-name "ldap"

set group-name "TRUE"

end

Once these settings are in place, users that are a member of the ldap user group will be able to authenticate.

To ensure your settings are correct, here is the sample output from a diag debug command that shows the authentication process.

When the "Allow Dial-in" attribute is set to "TRUE" the following will likely be in the output:

get_member_of_groups-Get the memberOf groups.

get_member_of_groups- attr='msNPAllowDialin', found 1 values

get_member_of_groups-val[0]='TRUE'

fnbamd_ldap_get_result-Auth accepted

fnbamd_ldap_get_result-Going to DONE state res=0

fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS

fnbamd_auth_poll_ldap-Passed group matching

If the attribute is not set but it is expected, the following will likely be in the output:

get_member_of_groups-Get the memberOf groups.

get_member_of_groups- attr='msNPAllowDialin', found 1 values

get_member_of_groups-val[0]='FALSE'

fnbamd_ldap_get_result-Auth accepted

fnbamd_ldap_get_result-Going to DONE state res=0

fnbamd_auth_poll_ldap-Result for ldap svr 192.168.201.3 is SUCCESS

fnbamd_auth_poll_ldap-Failed group matching

The only difference between these two outputs is the last line which is either passed or failed based on if the member-attribute is set to the expected value or not.